Table of Contents
Contact Information
Scope
This policy applies to:
- All employees, contractors, and authorized partners
- All users of the Insurly platform and services
- All data collected, processed, or stored by Insurly
- All third-party services and subprocessors used by Insurly
Regulatory Frameworks We Comply With
Health Insurance Portability and Accountability Act (HIPAA)
We comply with HIPAA for all Protected Health Information (PHI) uploaded to the platform, including Explanation of Benefits (EOBs), claims, and related documents.
- Signed Business Associate Agreements (BAAs) with relevant vendors
- Role-based access to PHI
- Encryption at rest and in transit
- Breach notification protocols in place
General Data Protection Regulation (GDPR)
For EU/EEA/UK residents, we provide:
- Right to access, correct, delete, or restrict your data
- Data processing based on legitimate interest, contract, or consent
- Standard Contractual Clauses (SCCs) for international data transfers
- EU/UK user data stored in compliance with GDPR principles
U.S. State Privacy Laws (CCPA, CPRA, and others)
We honor state-specific privacy rights for users in California and other states:
- Right to know, delete, and opt-out of certain data processing
- "Do Not Sell or Share" options
- Compliance with CPRA, Colorado Privacy Act, Virginia CDPA, and more
Data Security Controls
We implement comprehensive security controls to protect your data:
- AES-256 encryption for all stored data
- TLS 1.2+ encryption for data in transit
- Secure, audited infrastructure (e.g., Supabase, Stripe)
- 2FA and role-based access for staff accounts
- Quarterly internal audits and annual penetration tests
- Logging and monitoring of all access to sensitive data
AI & Data Ethics
Our commitment to ethical AI and data practices:
- Our AI is trained on insurance-specific datasets
- AI providers (e.g., OpenAI) are vetted for privacy and compliance
- Users are warned that AI outputs are informational, not legal/financial advice
- AI logs are reviewed for ethical usage and fairness
We are committed to responsible AI that respects privacy and promotes fairness.
Vendor & Subprocessor Management
We carefully evaluate all third-party vendors for compliance and security:
| Vendor | Purpose | Privacy Link |
|---|---|---|
| Stripe | Payment Processing | stripe.com/privacy |
| Supabase | Authentication & Database | supabase.com/privacy |
| OpenAI | AI-powered analysis | openai.com/privacy |
| Analytics & Auth | policies.google.com/privacy |
We maintain up-to-date Data Processing Agreements (DPAs) with all subprocessors.
Training & Awareness
We ensure all team members are well-trained on compliance and security:
- All staff undergo annual privacy and security training
- Developers follow secure coding guidelines and least privilege principles
- Employees are trained to report potential compliance issues immediately
Incident Response & Breach Notification
In the event of a data breach:
- We will notify affected users within the time required by law (HIPAA: 60 days; GDPR: 72 hours)
- A formal incident response plan is followed
- For PHI-related breaches, we follow HIPAA's Breach Notification Rule
We take any potential security incident seriously and respond promptly.
Policy Review & Enforcement
We maintain strict governance around our compliance policies:
- This policy is reviewed annually or whenever regulations change
- Non-compliance may result in disciplinary action, up to termination or contract revocation
- Users and employees can report suspected violations to privacy@insurly.io
Contact
If you have questions about our compliance or would like to report a concern, contact: